CS 5450 HTTP. Vitaly Shmatikov
|
|
- Sherilyn Johnson
- 5 years ago
- Views:
Transcription
1 CS 5450 HTTP Vitaly Shmatikov
2 Browser and Network Browser OS Hardware request reply website Network slide 2
3 HTML A web page includes Base HTML file Referenced objects (e.g., images) HTML: Hypertext Markup Language Representation of hypertext documents in ASCII Web browsers interpret HTML when rendering a page Format text, reference images, embed hyperlinks (HREF) slide 3
4 HTTP: HyperText Transfer Protocol Used to request and return data Methods: GET, POST, HEAD, Stateless request/response protocol Each request is independent of previous requests Statelessness has a significant impact on design and implementation of applications Evolution HTTP 1.0: simple HTTP 1.1: more complex slide 4
5 Steps in an HTTP Request Client Server SYN (i) SYN(j) + ACK(i+1) HTTP GET HTTP Response Server processes the request Client parses the response FIN slide 5
6 HTTP Request Method File HTTP version Headers GET /default.asp HTTP/1.0 Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Connection: Keep-Alive If-Modified-Since: Sunday, 17-Apr-96 04:32:58 GMT Blank line Body none for GET slide 6
7 HTTP Methods GET Return current value of a resource, run program, etc. HEAD Return the metadata associated with a resource POST Update resource, provide input to a program slide 7
8 Generating a Response Return a file ( static content ) URL matches a file (e.g., /www/index.html) Server returns the file s contents as the response Server generates appropriate response header Generate a response dynamically URL triggers a program on the server Server executes the program and sends output to client in the HTTP response Return metadata with no body slide 8
9 HTTP Response HTTP version Status code Reason phrase Headers HTTP/ OK Date: Sun, 21 Apr :20:42 GMT Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive Content-Type: text/html Last-Modified: Thu, 18 Apr :39:05 GMT Content-Length: 2543 Data <HTML> Some data... blah, blah, blah </HTML> slide 9
10 HTTP Is Stateless Each request-response exchange is treated independently, server not required to retain state Good: improves scalability on the server side Don t have to retain info across client requests Can handle higher rate of client requests Order of client requests doesn t matter Bad: some apps need persistent state Uniquely identify user or store temporary info (e.g., shopping cart, user preferences/profiles, usage tracking, etc.) slide 10
11 Website Storing Info In Browser A cookie is a file created by a website to store information in the browser Browser POST login.cgi username and pwd Server HTTP Header: Set-cookie: NAME=VALUE ; domain = (who can read) ; expires = (when expires) ; secure = (send only over HTTPS) If expires = NULL, this session only Browser GET restricted.html Cookie: NAME=VALUE Server HTTP is a stateless protocol; cookies add state slide 11
12 What Are Cookies Used For? Authentication The cookie proves to the website that the client previously authenticated correctly Personalization Helps the website recognize the user from a previous visit Tracking Follow the user from site to site; learn his/her browsing behavior, preferences, and so on slide 12
13 Web Authentication with Cookies Authentication system that works over HTTP and does not require servers to store session data except for logout status After client successfully authenticates, server computes an authenticator token and gives it to the browser as a cookie Client should not be able forge authenticator on his own Example: HMAC(server s secret key, session information) With each request, browser presents the cookie; server recomputes and verifies the authenticator Server does not need to remember the authenticator slide 13
14 Typical Session with Cookies client server POST /login.cgi Set-Cookie:authenticator GET /restricted.html Cookie:authenticator Restricted content Verify that this client is authorized Check validity of authenticator recompute hash(key, session) Authenticators must be unforgeable and tamper-proof (malicious client shouldn t be able to compute his own or modify an existing authenticator) slide 14
15 Goals of Browser Security Safe to visit an evil website Safe to visit two pages at the same time Safe delegation slide 15
16 Browser: Basic Execution Model Each browser window or frame: Loads content Renders Processes HTML and scripts to display the page May involve images, subframes, etc. Responds to events Events User actions: OnClick, OnMouseover Rendering: OnLoad, OnUnload slide 16
17 JavaScript The world s most misunderstood programming language Language executed by the browser Scripts are embedded in Web pages Can run before HTML is loaded, before page is viewed, while it is being viewed, or when leaving the page Used to implement active web pages AJAX, huge number of Web-based applications slide 17
18 JavaScript History Developed by Brendan Eich at Netscape Scripting language for Navigator 2 Later standardized for browser compatibility ECMAScript Edition 3 (aka JavaScript 1.5) Related to Java in name only Name was part of a marketing deal Java is to JavaScript as car is to carpet Various implementations available slide 18
19 JavaScript in Web Pages Embedded in HTML page as <script> element JavaScript written directly inside <script> element <script> alert("hello World!") </script> Linked file as src attribute of the <script> element <script type="text/javascript" src= functions.js"></script> Event handler attribute <a href=" onmouseover="alert('hi');"> Pseudo-URL referenced by a link <a href= JavaScript: alert( You clicked ); >Click me</a> Many other ways slide 19
20 Document Object Model (DOM) HTML page is structured data DOM is object-oriented representation of the hierarchical HTML structure Properties: document.alinkcolor, document.url, document.forms[ ], document.links[ ], Methods: document.write(document.referrer) These change the content of the page! Also Browser Object Model (BOM) Window, Document, Frames[], History, Location, Navigator (type and version of browser) slide 20
21 Browser Sandbox Goal: safely execute JavaScript code provided by a remote website No direct file access, limited access to OS, network, browser data, content that came from other websites Same origin policy (SOP) Can only read properties of documents and windows from the same protocol, domain, and port slide 21
22 SOP for Reading Cookies Browser GET //URL-domain/URL-path Cookie: NAME = VALUE Server Browser sends all cookies in URL scope: cookie-domain is domain-suffix of URL-domain cookie-path is prefix of URL-path protocol=https if cookie is secure slide 22
23 Examples of Cookie Reading SOP cookie 1 name = userid value = u1 domain = login.site.com path = / secure cookie 2 name = userid value = u2 domain =.site.com path = / non-secure both set by login.site.com cookie: userid=u2 cookie: userid=u2 cookie: userid=u1; userid=u2 slide 23
24 SOP for JavaScript in Browser Same domain scoping rules as for sending cookies to the server document.cookie returns a string with all cookies available for the document Often used in JavaScript to customize page Javascript can set and delete cookies via DOM document.cookie = name=value; expires= ; document.cookie = name=; expires= Thu, 01-Jan-70 slide 24
s642 web security computer security adam everspaugh
s642 computer security web security adam everspaugh ace@cs.wisc.edu review memory protections / data execution prevention / address space layout randomization / stack protector Sandboxing / Limit damage
More information0x1A Great Papers in Computer Security
CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ slide 1 Browser and Network Browser OS Hardware request reply website Network slide 2 Web
More informationRunning Remote Code is Risky. Why Study Browser Security. Browser Sandbox. Threat Models. Security User Interface.
CSE 127 Winter 2008 Security Collin Jackson Running Remote Code is Risky Compromise Host Write to file system Interfere with other processes Steal information Read file system Read information associated
More informationCIS 5373 Systems Security
CIS 5373 Systems Security Topic 5.1: Web Security Basics Endadul Hoque Slide Acknowledgment Contents are based on slides from Cristina Nita-Rotaru (Northeastern) Wil Robertson (Northeastern) John Mitchell
More informationWeb Security [SSL/TLS and Browser Security Model]
CSE 484 / CSE M 584: Computer Security and Privacy Web Security [SSL/TLS and Browser Security Model] Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationLECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security
Repetition Lect 7 LECT 8 WEB SECURITY Access control Runtime protection Trusted computing Java as basic model for signed code Trusted Computing Group TPM ARM TrustZone Mobile Network security GSM security
More informationInformation Security CS 526 Topic 8
Information Security CS 526 Topic 8 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationWeb Security, Part 2
Web Security, Part 2 CS 161 - Computer Security Profs. Vern Paxson & David Wagner TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/
More informationWeb Security: XSS; Sessions
Web Security: XSS; Sessions CS 161: Computer Security Prof. Raluca Ada Popa Mar 22, 2018 Credit: some slides are adapted from previous offerings of this course or from CS 241 of Prof. Dan Boneh SQL Injection
More informationComputer and Network Security
CIS 551 / TCOM 401 Computer and Network Security Spring 2009 Lecture 24 Announcements Plan for Today: Web Security Part Project 4 is due 28 April 2009 at 11:59 pm Final exam has been scheduled: Friday,
More informationWeb Security. CS642: Computer Security. Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu
Web Security CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu Liberal borrowing from Mitchell, Boneh, Stanford CS 155 University of Wisconsin CS 642
More informationInformation Security CS 526 Topic 11
Information Security CS 526 Topic 11 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationBrowser Security Model
CS155 Spring 2016 Browser Security Model John Mitchell Acknowledgments: Lecture slides are from the Computer Security course thought by Dan Boneh and John Mitchell at Stanford University. When slides are
More informationWeb Security. CS642: Computer Security. Professor Ristenpart h9p:// rist at cs dot wisc dot edu
Web Security CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu Liberal borrowing from Mitchell, Boneh, Stanford CS 155 University of Wisconsin CS 642
More informationCSE392/ISE331. Web Security Goals & Workings of the Web. Nick Nikiforakis
CSE392/ISE331 Web Security Goals & Workings of the Web Nick Nikiforakis nick@cs.stonybrook.edu Goals of Web Security Safely browse the Web A malicious website cannot steal information from or modify legitimate
More informationCIS 551 / TCOM 401 Computer and Network Security. Spring 2008 Lecture 24
CIS 551 / TCOM 401 Computer and Network Security Spring 2008 Lecture 24 Announcements Project 4 is Due Friday May 2nd at 11:59 PM Final exam: Friday, May 12th. Noon - 2:00pm DRLB A6 Today: Web security
More informationCookies and Passwords
Cookies and Passwords Vitaly Shmatikov modified by EJ Jung slide 1 Browser and Network Browser OS Hardware request reply website Network slide 2 HTTP: HyperText Transfer Protocol! Used to request and return
More informationAnnouncements. Schedule. Homework 1 was due on Monday... quesgons? Homework 2 will be assigned as soon as I can
Announcements Schedule Web security part 1 today, part 2 in two weeks Next week: guest lecture by David Parter on Oct 15 Lecture cancelled on Oct 17 Crypto secgon will start on Oct 24 Homework 1 was due
More informationCS526: Information security
Cristina Nita-Rotaru CS526: Information security Readings for This Lecture Wikipedia } HTTP Cookie } Same Origin Policy } Cross Site Scripting } Cross Site Request Forgery 2 1: Background Background }
More informationLecture 3. HTTP v1.0 application layer protocol. into details. HTTP 1.0: RFC 1945, T. Berners-Lee HTTP 1.1: RFC 2068, 2616
Lecture 3. HTTP v1.0 application layer protocol into details HTTP 1.0: RFC 1945, T. Berners-Lee Lee,, R. Fielding, H. Frystyk, may 1996 HTTP 1.1: RFC 2068, 2616 Ascii protocol uses plain text case sensitive
More informationCSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno
CSE 484 / CSE M 584: Computer Security and Privacy Web Security Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Ada Lerner, John Manferdelli,
More informationWeb Attacks, con t. CS 161: Computer Security. Prof. Vern Paxson. TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin
Web Attacks, con t CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ February 22, 2011 Announcements See Still confused
More informationWeb Applica+on Security
Web Applica+on Security Raluca Ada Popa Feb 25, 2013 6.857: Computer and Network Security See last slide for credits Outline Web basics: HTTP Web security: Authen+ca+on: passwords, cookies Security amacks
More informations642 web security computer security adam everspaugh
adam everspaugh ace@cs.wisc.edu s642 computer security web security today Authentication cookies + session hijacking Browser security model, frame policies Cross-site request forgery Announcement: No class
More informationBrowser Security Model
CS155 Spring 2015 Browser Security Model John Mitchell Web vs System vulnerabilities XSS peak Decline in % web vulns since 2009 49% in 2010 -> 37% in 2011. Big decline in SQL Injection vulnerabilities
More informationBrowser Security Model
CS155 Spring 2014 Browser Security Model John Mitchell Reported Web Vulnerabilities "In the Wild" Data from aggregator and validator of NVD-reported vulnerabilities Web vs System vulnerabilities XSS peak!
More informationLecture 7b: HTTP. Feb. 24, Internet and Intranet Protocols and Applications
Internet and Intranet Protocols and Applications Lecture 7b: HTTP Feb. 24, 2004 Arthur Goldberg Computer Science Department New York University artg@cs.nyu.edu WWW - HTTP/1.1 Web s application layer protocol
More informationContent Delivery on the Web: HTTP and CDNs
Content Delivery on the Web: HTTP and CDNs Mark Handley UCL Computer Science CS 3035/GZ01 Outline The Web: HTTP and caching The Hypertext Transport Protocol: HTTP HTTP performance Persistent and concurrent
More informationHTTP Protocol and Server-Side Basics
HTTP Protocol and Server-Side Basics Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming HTTP Protocol and Server-Side Basics Slide 1/26 Outline The HTTP protocol Environment Variables
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh November 20, 2017 1 / 32 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationApplications & Application-Layer Protocols: The Web & HTTP
CPSC 360 Network Programming Applications & Application-Layer Protocols: The Web & HTTP Michele Weigle Department of Computer Science Clemson University mweigle@cs.clemson.edu http://www.cs.clemson.edu/~mweigle/courses/cpsc360
More informationWeb, HTTP and Web Caching
Web, HTTP and Web Caching 1 HTTP overview HTTP: hypertext transfer protocol Web s application layer protocol client/ model client: browser that requests, receives, displays Web objects : Web sends objects
More informationCSCI-1680 WWW Rodrigo Fonseca
CSCI-1680 WWW Rodrigo Fonseca Based partly on lecture notes by Sco2 Shenker and John Janno6 Administrivia HW3 out today Will cover HTTP, DNS, TCP TCP Milestone II coming up on Monday Make sure you sign
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh February 11, 2016 1 / 27 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationHow is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh March 30, 2015 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the server sends
More informationIntroduc)on to Computer Networks
Introduc)on to Computer Networks COSC 4377 Lecture 3 Spring 2012 January 25, 2012 Announcements Four HW0 s)ll missing HW1 due this week Start working on HW2 and HW3 Re- assess if you found HW0/HW1 challenging
More informationMWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS
Quit MWR InfoSecurity Advisory Elastic Path Administrative Session Hijacking through Embedded XSS 26 th April 2007 2007-04-26 1 of 7 INDEX 1 Detailed Vulnerability description...4 1.1 Introduction...4
More informationLecture 9a: Sessions and Cookies
CS 655 / 441 Fall 2007 Lecture 9a: Sessions and Cookies 1 Review: Structure of a Web Application On every interchange between client and server, server must: Parse request. Look up session state and global
More informationCSCI-1680 WWW Rodrigo Fonseca
CSCI-1680 WWW Rodrigo Fonseca Based partly on lecture notes by Scott Shenker and John Jannotti Precursors 1945, Vannevar Bush, Memex: a device in which an individual stores all his books, records, and
More informationHow to work with HTTP requests and responses
How a web server processes static web pages Chapter 18 How to work with HTTP requests and responses How a web server processes dynamic web pages Slide 1 Slide 2 The components of a servlet/jsp application
More informationProduced by. Mobile Application Development. Higher Diploma in Science in Computer Science. Eamonn de Leastar
Mobile Application Development Higher Diploma in Science in Computer Science Produced by Eamonn de Leastar (edeleastar@wit.ie) Department of Computing, Maths & Physics Waterford Institute of Technology
More informationComputer Networks. Wenzhong Li. Nanjing University
Computer Networks Wenzhong Li Nanjing University 1 Chapter 8. Internet Applications Internet Applications Overview Domain Name Service (DNS) Electronic Mail File Transfer Protocol (FTP) WWW and HTTP Content
More informationINTERNET ENGINEERING. HTTP Protocol. Sadegh Aliakbary
INTERNET ENGINEERING HTTP Protocol Sadegh Aliakbary Agenda HTTP Protocol HTTP Methods HTTP Request and Response State in HTTP Internet Engineering 2 HTTP HTTP Hyper-Text Transfer Protocol (HTTP) The fundamental
More informationCS 43: Computer Networks. HTTP September 10, 2018
CS 43: Computer Networks HTTP September 10, 2018 Reading Quiz Lecture 4 - Slide 2 Five-layer protocol stack HTTP Request message Headers protocol delineators Last class Lecture 4 - Slide 3 HTTP GET vs.
More informationWeb Security: Cross-Site Attacks
Web Security: Cross-Site Attacks CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula, David Fifield, Mia Gil Epner, David Hahn, Warren He, Grant Ho, Frank Li, Nathan Malkin,
More information3. WWW and HTTP. Fig.3.1 Architecture of WWW
3. WWW and HTTP The World Wide Web (WWW) is a repository of information linked together from points all over the world. The WWW has a unique combination of flexibility, portability, and user-friendly features
More informationUnraveling the Mysteries of J2EE Web Application Communications
Unraveling the Mysteries of J2EE Web Application Communications An HTTP Primer Peter Koletzke Technical Director & Principal Instructor Common Problem What we ve got here is failure to commun cate. Captain,
More informationOutline of Lecture 3 Protocols
Web-Based Information Systems Fall 2007 CMPUT 410: Protocols Dr. Osmar R. Zaïane University of Alberta Course Content Introduction Internet and WWW TML and beyond Animation & WWW CGI & TML Forms Javascript
More informationCommon Websites Security Issues. Ziv Perry
Common Websites Security Issues Ziv Perry About me Mitnick attack TCP splicing Sql injection Transitive trust XSS Denial of Service DNS Spoofing CSRF Source routing SYN flooding ICMP
More informationICS 351: Today's plan. IPv6 routing protocols (summary) HTML HTTP web scripting languages certificates (review) cookies
ICS 351: Today's plan IPv6 routing protocols (summary) HTML HTTP web scripting languages certificates (review) cookies IPv6 routing almost the same routing protocols as for IPv4: RIPng, OSPFv6, BGP with
More informationReview of Previous Lecture
Review of Previous Lecture Network access and physical media Internet structure and ISPs Delay & loss in packet-switched networks Protocol layers, service models Some slides are in courtesy of J. Kurose
More informationSome Facts Web 2.0/Ajax Security
/publications/notes_and_slides Some Facts Web 2.0/Ajax Security Allen I. Holub Holub Associates allen@holub.com Hackers attack bugs. The more complex the system, the more bugs it will have. The entire
More informationOSI Session / presentation / application Layer. Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016)
OSI Session / presentation / application Layer Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016) 1 Higher level protocols On top of IP, TCP, UDP, etc. there are a plethora
More informationWeb Security: Loose Ends
CSE 484 / CSE M 584: Computer Security and Privacy Web Security: Loose Ends Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno,
More informationSession 8. Reading and Reference. en.wikipedia.org/wiki/list_of_http_headers. en.wikipedia.org/wiki/http_status_codes
Session 8 Deployment Descriptor 1 Reading Reading and Reference en.wikipedia.org/wiki/http Reference http headers en.wikipedia.org/wiki/list_of_http_headers http status codes en.wikipedia.org/wiki/_status_codes
More informationInternet Architecture. Web Programming - 2 (Ref: Chapter 2) IP Software. IP Addressing. TCP/IP Basics. Client Server Basics. URL and MIME Types HTTP
Web Programming - 2 (Ref: Chapter 2) TCP/IP Basics Internet Architecture Client Server Basics URL and MIME Types HTTP Routers interconnect the network TCP/IP software provides illusion of a single network
More informationCMSC 332 Computer Networking Web and FTP
CMSC 332 Computer Networking Web and FTP Professor Szajda CMSC 332: Computer Networks Project The first project has been posted on the website. Check the web page for the link! Due 2/2! Enter strings into
More informationWeb Technology. COMP476 Networked Computer Systems. Hypertext and Hypermedia. Document Representation. Client-Server Paradigm.
Web Technology COMP476 Networked Computer Systems - Paradigm The method of interaction used when two application programs communicate over a network. A server application waits at a known address and a
More informationAnnouncements. The World Wide Web. Retrieving From the Server. Goals of Today s Lecture. The World Wide Web. POP3 Protocol
Announcements The World Wide Web Project #2 out Checkpoint due Weds Oct 18 Full project due Thurs Oct 26 EE 122: Intro to Communication Networks Fall 2006 (MW 4-5:30 in Donner 155) Vern Paxson TAs: Dilip
More informationCS 43: Computer Networks. Layering & HTTP September 7, 2018
CS 43: Computer Networks Layering & HTTP September 7, 2018 Last Class: Five-layer Internet Model Application: the application (e.g., the Web, Email) Transport: end-to-end connections, reliability Network:
More informationNotes beforehand... For more details: See the (online) presentation program.
Notes beforehand... Notes beforehand... For more details: See the (online) presentation program. Topical overview: main arcs fundamental subjects advanced subject WTRs Lecture: 2 3 4 5 6 7 8 Today: the
More informationThe World Wide Web. EE 122: Intro to Communication Networks. Fall 2006 (MW 4-5:30 in Donner 155) Vern Paxson TAs: Dilip Antony Joseph and Sukun Kim
The World Wide Web EE 122: Intro to Communication Networks Fall 2006 (MW 4-5:30 in Donner 155) Vern Paxson TAs: Dilip Antony Joseph and Sukun Kim http://inst.eecs.berkeley.edu/~ee122/ Materials with thanks
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 4 Week of February 13, 2017 Question 1 Clickjacking (5 min) Watch the following video: https://www.youtube.com/watch?v=sw8ch-m3n8m Question 2 Session
More informationCS 142 Winter Session Management. Dan Boneh
CS 142 Winter 2009 Session Management Dan Boneh Sessions A sequence of requests and responses from one browser to one (or more) sites Session can be long (Gmail - two weeks) or short without session mgmt:
More informationEE 122: HyperText Transfer Protocol (HTTP)
Background EE 122: HyperText Transfer Protocol (HTTP) Ion Stoica Nov 25, 2002 World Wide Web (WWW): a set of cooperating clients and servers that communicate through HTTP HTTP history - First HTTP implementation
More informationRKN 2015 Application Layer Short Summary
RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,
More informationLecture 6 Application Layer. Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it
Lecture 6 Application Layer Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it Application-layer protocols Application: communicating, distributed processes running in network hosts
More informationCS144: Sessions. Cookie : CS144: Web Applications
CS144: Sessions HTTP is a stateless protocol. The server s response is purely based on the single request, not anything else Q: How does a web site like Amazon can remember a user and customize its results?
More informationOctober 08: Introduction to Web Security
October 08: Introduction to Web Security Scribe: Rohan Padhye October 8, 2015 Web security is an important topic because web applications are particularly hard to secure, and are one of the most vulnerable/buggy
More informationWEB APPLICATION ENGINEERING II
WEB APPLICATION ENGINEERING II Lecture #5 Umar Ibrahim Enesi Objectives Gain understanding of how Cookies and Sessions Work Understand the limitations of Sessions and Cookies Understand how to handle Session
More informationWorld-Wide Web Protocols CS 571 Fall Kenneth L. Calvert All rights reserved
World-Wide Web Protocols CS 571 Fall 2006 2006 Kenneth L. Calvert All rights reserved World-Wide Web The Information Universe World-Wide Web structure: hypertext Nonlinear presentation of information Key
More informationAuthentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1
Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1 CIA Triad Confidentiality Prevent disclosure of information to unauthorized parties Integrity Detect data tampering Availability
More informationCOMPUTER NETWORK. Homework #1. Due Date: March 29, 2017 in class
Computer Network Homework#1 COMPUTER NETWORK Homework #1 Due Date: March 29, 2017 in class Question 1 What is the role of HTTP in a network application? What other components are needed to complete a Web
More informationWWW: the http protocol
Internet apps: their protocols and transport protocols Application e-mail remote terminal access Web file transfer streaming multimedia remote file Internet telephony Application layer protocol smtp [RFC
More informationHyperText Transfer Protocol
Outline Introduce Socket Programming Domain Name Service (DNS) Standard Application-level Protocols email (SMTP) HTTP HyperText Transfer Protocol Defintitions A web page consists of a base HTML-file which
More informationRESTful Services. Distributed Enabling Platform
RESTful Services 1 https://dev.twitter.com/docs/api 2 http://developer.linkedin.com/apis 3 http://docs.aws.amazon.com/amazons3/latest/api/apirest.html 4 Web Architectural Components 1. Identification:
More informationWEB SECURITY: XSS & CSRF
WEB SECURITY: XSS & CSRF CMSC 414 FEB 22 2018 Cross-Site Request Forgery (CSRF) URLs with side-effects http://bank.com/transfer.cgi?amt=9999&to=attacker GET requests should have no side-effects, but often
More information8/19/2018. Web Development & Design Foundations with HTML5. Learning Objectives (1 of 2) Learning Objectives (2 of 2) What is JavaScript?
Web Development & Design Foundations with HTML5 Ninth Edition Chapter 14 A Brief Look at JavaScript and jquery Slides in this presentation contain hyperlinks. JAWS users should be able to get a list of
More informationCMPE 151: Network Administration. Servers
CMPE 151: Network Administration Servers Announcements Unix shell+emacs tutorial. Basic Servers Telnet/Finger FTP Web SSH NNTP Let s look at the underlying protocols. Client-Server Model Request Response
More informationWeb Development & Design Foundations with HTML5, 8 th Edition Instructor Materials Chapter 14 Test Bank
Multiple Choice. Choose the best answer. 1. JavaScript can be described as: a. an object-oriented scripting language b. an easy form of Java c. a language created by Microsoft 2. Select the true statement
More informationHTTP Reading: Section and COS 461: Computer Networks Spring 2013
HTTP Reading: Section 9.1.2 and 9.4.3 COS 461: Computer Networks Spring 2013 1 Recap: Client-Server Communication Client sometimes on Initiates a request to the server when interested E.g., Web browser
More informationICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder
ICS 351: Today's plan web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder 1 web scripting languages web content described by HTML was originally static, corresponding to files
More informationWeb Security: Web Application Security [continued]
CSE 484 / CSE M 584: Computer Security and Privacy Web Security: Web Application Security [continued] Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationP2_L12 Web Security Page 1
P2_L12 Web Security Page 1 Reference: Computer Security by Stallings and Brown, Chapter (not specified) The web is an extension of our computing environment, because most of our daily tasks involve interaction
More informationWEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang
WEB SECURITY WORKSHOP TEXSAW 2014 Presented by Solomon Boyd and Jiayang Wang Introduction and Background Targets Web Applications Web Pages Databases Goals Steal data Gain access to system Bypass authentication
More informationWeb Standards. Web Technologies. Web Standards. URI and URL
Web Technologies Claudio Fornaro ver. 1.2 1 Web Standards At its core, the Web is made up of three standards: the Uniform Resource Identifier (URI), which is a universal system for referencing resources
More informationElectronic Mail. Three Components: SMTP SMTP. SMTP mail server. 1. User Agents. 2. Mail Servers. 3. SMTP protocol
SMTP Electronic Mail Three Components: 1. User Agents a.k.a. mail reader e.g., gmail, Outlook, yahoo 2. Mail Servers mailbox contains incoming messages for user message queue of outgoing (to be sent) mail
More informationSession 9. Deployment Descriptor Http. Reading and Reference. en.wikipedia.org/wiki/http. en.wikipedia.org/wiki/list_of_http_headers
Session 9 Deployment Descriptor Http 1 Reading Reading and Reference en.wikipedia.org/wiki/http Reference http headers en.wikipedia.org/wiki/list_of_http_headers http status codes en.wikipedia.org/wiki/http_status_codes
More informationApplication Layer: The Web and HTTP Sec 2.2 Prof Lina Battestilli Fall 2017
CSC 401 Data and Computer Communications Networks Application Layer: The Web and HTTP Sec 2.2 Prof Lina Battestilli Fall 2017 Outline Application Layer (ch 2) 2.1 principles of network applications 2.2
More informationAbusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)
Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side) Narendra Bhati @NarendraBhatiB http://websecgeeks.com Abusing Windows Opener To Bypass CSRF Protection Narendra Bhati Page
More informationCS 355. Computer Networking. Wei Lu, Ph.D., P.Eng.
CS 355 Computer Networking Wei Lu, Ph.D., P.Eng. Chapter 2: Application Layer Overview: Principles of network applications? Introduction to Wireshark Web and HTTP FTP Electronic Mail SMTP, POP3, IMAP DNS
More informationComputer Security 3e. Dieter Gollmann. Chapter 18: 1
Computer Security 3e Dieter Gollmann www.wiley.com/college/gollmann Chapter 18: 1 Chapter 18: Web Security Chapter 18: 2 Web 1.0 browser HTTP request HTML + CSS data web server backend systems Chapter
More informationNetworking. Layered Model. DoD Model. Application Layer. ISO/OSI Model
Networking Networking is concerned with the physical topology of two or more communicating entities and the logical topology of data transmission. Layered Model Systems communicate over a shared communication
More informationAnnouncements. The World Wide Web. Goals of Today s Lecture. The World Wide Web HTML. Web Components
Announcements The World Wide Web Project #1 - Milestone 1 Due 11pm Tonight No slip days! EE 122: Intro to Communication Networks Fall 2007 (WF 4-5:30 in Cory 277) Lisa Fowler / Vern Paxson TAs: Lisa Fowler,
More information7.2.4 on Media content; on XSS) sws2 1
Software and Web Security 2 Attacks on Clients (Section 7.1.3 on JavaScript; 7.2.4 on Media content; 7.2.6 on XSS) sws2 1 Last week: web server can be attacked by malicious input web browser web server
More informationWEB TECHNOLOGIES CHAPTER 1
WEB TECHNOLOGIES CHAPTER 1 WEB ESSENTIALS: CLIENTS, SERVERS, AND COMMUNICATION Modified by Ahmed Sallam Based on original slides by Jeffrey C. Jackson THE INTERNET Technical origin: ARPANET (late 1960
More informationThe HTTP protocol. Fulvio Corno, Dario Bonino. 08/10/09 http 1
The HTTP protocol Fulvio Corno, Dario Bonino 08/10/09 http 1 What is HTTP? HTTP stands for Hypertext Transfer Protocol It is the network protocol used to delivery virtually all data over the WWW: Images
More informationCORS Attacks. Author: Milad Khoshdel Blog: P a g e. CORS Attacks
Author: Milad Khoshdel Blog: https://blog.regux.com Email: miladkhoshdel@gmail.com 1 P a g e Contents What is CORS?...3 How to Test?...4 CORS Checker Script...6 References...9 2 P a g e What is CORS? CORS
More information1-1. Switching Networks (Fall 2010) EE 586 Communication and. September Lecture 10
EE 586 Communication and Switching Networks (Fall 2010) Lecture 10 September 17 2010 1-1 Announcement Send me your group and get group ID HW3 (short) out on Monday Personal leave for next two weeks No
More informationCS155. *Original slides were created by Prof. Dan Boneh
CS155 Web Security: Session Management *Original slides were created by Prof. Dan Boneh Same origin policy: review Review: Same Origin Policy (SOP) for DOM: Origin A can access origin B s DOM if match
More information